After a series of ‘lock-down’ Covid-19 restrictions, many employees are now returning to their place of work in 2022 as restrictions are either further eased or lifted entirely.
In 2020, the ICO, in response to the pandemic, issued a list of 6 key steps that organisations need to consider around use of personal information and have recently published some further recommendations that organisations need to consider. We have extracted the key parts of the guidance and added additional points to consider.
This may seem obvious, however the following basic steps should help you to identify whether the approach is fair, reasonable and proportionate and therefore more likely to be compliant with data protection law:
This really echoes the point above - don’t collect personal data unless strictly necessary to do so and remove / delete it when it is no longer required. It is important to have clear policies around collection, use and retention of personal data to ensure this principle is complied with in your organisation.
Ensure employee privacy notices are up to date setting out how and why employee personal information, will be used and the implications for them (e.g. who you will share their information with and for how long you intend to keep it).
If you intend to make decisions about your staff based on the health information you collect, you must make sure that the approach you adopt is fair and considered. When identifying the types of decisions you will make using the information collected, it will be important to think carefully about any detriment your staff might suffer as a result of your policy, and tailor this approach in order to minimise the risk of potential discrimination claims.
Ensure that company processes for secure handling and storage of personal data are observed and make sure the policies are documented and that staff are trained (this should include a retention policy setting out how long information should be retained for and the process for secure deletion / removal from systems).
Make sure you inform individuals about their rights in relation to their personal data – again, this reinforces the point that written policies and procedures should be in place, regularly updated to take account of any changes and to ensure that staff are able to quickly and easily access the applicable policy / procedure. Ensure regular awareness campaigns are scheduled to keep staff updated – email followed up with a video / audio conference call can be powerful tools to ensure staff are aware and can ask questions.
If you are continuing to collect information regarding a person’s vaccination status, you must be clear about what it is you are trying to achieve in collecting such information, and how asking people for their vaccination details will help to achieve this.
Echoing the ICO’s 6 key steps published in 2020, you must use this data fairly, and it must be relevant and necessary for a specific purpose. If you cannot specify a use for vaccination information, or you can achieve your aim without collecting vaccination data, then you are unlikely to be able to justify collecting it.
Remember, a person’s vaccination status is health data which falls under ‘special category data’, and you must therefore identify a special category processing condition under Article 9 UK GDPR in order to process this information. It would also be prudent to check your contracts with employees and consider employment law, any health and safety requirements and a person’s privacy rights, before making a decision as to whether you are able to continue collecting vaccination information.
Staff are able to be kept informed about potential or confirmed Covid-19 cases, data protection law doesn’t prevent this. However, information about these cases should only be provided insofar as it is necessary, and you should avoid naming individuals when providing information on Covid-19 cases to other colleagues where possible.